For UK users concerned about their connected devices leaking personal data, help may be on the way. Fed up with the Internet of things (IoT) industry’s failure to self regulate, the UK government is preparing to govern the privacy and security consumer of devices itself. It just released a consultation document that lays out a regulatory framework.
In October 2018, the government published its Code of Practice for IoT Security. The Department for Digital, Culture, Media and Sport (DMCS) and National Cyber Security Centre (NCSC) called the document a world first. It proposed 13 guidelines it hopes would help companies in “shifting to a security mindset”, but came away disappointed in the lack of an industry response.
“Despite providing industry with these tools to help address these issues, we continue to see significant shortcomings in many products on the market,” it said in the consultation document. It has proposed a baseline for IoT security, taking the top three guidelines from a voluntary code.
These would require all IoT device passwords to be unique out-of-the-box. The manufacturer would have to provide a public point of contact for vulnerability disclosures. Finally, manufacturers will explicitly state the minimum time for which the product will receive security updates, the document says.
A labelling scheme will accompany the regulations. This was already in the works as a voluntary initiative, and the government will still run it that way when it launches later this year. When regulation comes into force, though, things could be different. One option involves forcing retailers to only sell consumer IoT products with the label. Manufacturers might have to comply with all 13 guidelines of the October Code.
Manufacturers are unlikely to support government regulation, but statistics suggest that consumers are all for it. According to a report released in May 2019 by the Internet Society and Consumers International, 88% of consumers felt that manufacturers should have to comply with legal privacy and security standards. 81% said that manufacturers should only make connected devices that protected privacy and security.
Public opinion favours privacy
If IoT manufacturers don’t address these issues, consumer distrust could affect their commercial fortunes. The tide of opinion is turning against devices and vendors that don’t respect security and privacy.
63% of consumers in the Internet Society and Consumers International survey felt that devices were ‘creepy’ in how they collected data, with around the same number complaining about IoT devices’ data collection.
Even more consumers—77%—said that the availability of privacy information either on a website or in product literature was a factor in their purchasing decision. Although only 67% said that some kind of privacy certification label contributed. That could be because there are precious few such labelling schemes out there today, though.
Manufacturers are busy proving consumers’ worst fears. In April, cybersecurity researcher Paul Marrapese uncovered a major flaw in P2P software used by hundreds of IoT vendors. The flaw enabled attackers to find connected devices by their unique ID and then connect to them. They could also intercept connections to a device, sniffing out video feed and login credentials.
Other cybersecurity embarrassments have included children’s smartwatch software that leaks personal data including the young user’s exact location.
In both these cases, the culprits were Chinese software manufacturers who were reluctant to fix the problem or unresponsive. That’s the big problem with IoT devices: There are many people in the supply chain, including chipset vendors, firmware developers, back-end administrative software companies and the hardware manufacturers that use all these components.
It’s easy for these organizations to hide from their responsibilities in a supply chain that extends around the world. It’s uncertain whether regulatory pressure at the point of sale would force local distributors to put pressure on the device manufacturers or not. The Chinese smartwatch software case reflected a weakness in back-end software used to monitor IoT devices rather than the devices themselves, for example, but the potential outcome for their vulnerable young users was just as bad as if the watches themselves were hackable.
Still, as horrendous IoT privacy and security breaches continue to hit the headlines, you can’t blame the government for trying.
Train to find IoT flaws
In the meantime, cybersecurity researchers continue to find more problems. That could include you. At the SecTor conference this year, veteran hackers Craig Young, Tyler Reguly, and Lane Thames from cybersecurity company Tripwire will host the IoT Hacking training course.
The two-day ‘brainwashing embedded systems deep dive’ will kick off with a gentle introduction to IoT security exploit basics before exploring more advanced techniques. Trainees will learn how to use analysis techniques using the Bash shell language and Python scripts. They will practice picking apart device firmware on a Linux virtual machine, investigating techniques such as firmware extraction and OS injection bugs.
Individuals may not have much say in how responsible IoT suppliers are with their security, but they can vote with their wallets. Collectively, they carry a lot of power. And the more technically minded among you can spend a couple of days finding out how to track down these vulnerabilities yourselves. Who knows–maybe your investigations could lead to a talk of your own at SecTor next year?